IFIN - The Independent Federated Intelligence Network1d ago

Looks like we have a live one here. Weird Rust maintainer phishing campaign using crates[.]ws:

https://discourse.ifin.network/t/bizarre-crates-io-phishing-campaign/232

Bizarre crates.io phishing campaign

Observable: crates[.]ws Observable Type: Domain Details: Rust maintainer phishing email sending users to a bogus Crates website. Interestingly it looks like the .ws domain redirects to .io unless you provide it direct parameters. Unclear the intention though. Full URI in the email: https://crates[.]ws/settings/profile?action=verify&e=SOMENUMBER https://bsky.app/profile/nabijaczleweli.xyz/post/3miyodcruiuy2

IFIN
Show threadDarses
@ifin
URLScan has an interesting subdomain `github-oauth.crates.ws` logged with a Github style login page: https://urlscan.io/result/019d6e08-183f-76a1-a960-ec337c405cd3/
github-oauth.crates.ws - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Apr 8 at 8:36pmWeb
Show threadIFIN - The Independent Federated Intelligence Network1d ago
@darses Great catch!
Show threadDarses1d ago
@ifin
From what I can tell this DOM looks identical to the Github sign-in page. The hidden timestamp fields in the form fields even match the time the URL was submitted to URLScan, indicating this is not just a static copy. I have the feeling this is some sort of adversary-in-the-middle (aitm) framework.